On 14/12/2023 16:13, Benny Prange wrote:
Am Do., 14. Dez. 2023 um 16:51 Uhr schrieb Mark Thomas <ma...@apache.org>:
On 14/12/2023 15:33, Benny Prange wrote:
Hi all,
I am having trouble understanding the description of CVE-2023-46589.
Does this CVE affect scenarios where the Apache Tomcat is the reverse
proxy, or or when the Apache Tomcat is running behind a reverse proxy?
Is the Tomcat vulnerable to request smuggling, or other applications
running behind the Tomcat?
Tomcat does not provide reverse proxy configuration.
This CVE applies when Tomcat is behind a reverse proxy.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Thanks for the quick response.
I'm afraid I still can't grasp it:
From my understanding, the trailer header is used in HTTP responses. How
can this lead to request smuggling?
Trailer headers are valid for both requests and responses.
I am not going to describe how to attack Tomcat using this CVE.
Why is it important that there is a reverse proxy in front of the Tomcat,
Request smuggling occurs when two different HTTP servers (in this case
the reverse proxy and Tomcat) process an invalid request in different
ways. This typically results in the invalid request incorrectly being
treated as more than one request by one of those servers.
or would the CVE also be applicable without a reverse proxy?
No.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
